Bushido-Powered DDoS Service Whipped Up from Leaked Code

Security researchers found a new DDoS-for-hire service built with leaked code, that offers easy and cheap access to sufficient power to knock down most targets.

Distributed denial-of-service (DDoS) businesses have been around for quite a while, but these days they rely more on compromised smart devices to drive the attacks.

Thousands of bots, hundreds of gbps, low prices

Powered by the Bushido botnet of connected systems, the 0x-booter was discovered by researchers at Fortinet on October 17, three days after its servers first came online.

The operators of the service promote themselves on social media networks, where they advertised over 500Gbps of power and 20,000 bots. These numbers are likely an exaggeration, as Fortinet saw lower speeds and fewer bots when they visited 0x-booter's website: 424.825 Gbps and 16,993 bots.

BleepingComputer saw even lower figures: 396 gbps and less than 8,000 compromised systems ready to run a DDoS attack. Even so, there is sufficient firepower for prices between $20 for 15 minutes, and $150 for a two hour-long attack.

"Like any other DDoS-for-hire, initiating a DDoS attack is made through a web user interface, which avoids the need for direct contact between the user and the bot master," the researchers say in a blog post today.

The types of attacks the 0x-booter service provides target layer 4 and layer 7 of the OSI (Open Systems Interconnection) model, the transport and the application layers.

Since it hit the market, 0x-booter carried out over 300 attacks, with peaks of over 50 attacks in some days. In the past four days, however, the daily number of attacks were between 11 and 35.

Bushido IoT botnet

Bushido botnet is run by a group called ZullSec, and FortiGuard noticed it in mid-September, but it is older than that. Among the first to spot this botnet and obtain samples is the MalwareMustDie group of security researchers.

Following a closer look, the researchers determined it was a fork of Mirai. Bushido has more DDoS attack options than Mirai and compromises devices using a different set of usernames and passwords and a list of exploits for known vulnerabilities.

Nothing original

Fortinet's investigation revealed that the code for the 0x-booter was based on that of a different DDoS-for-hire service called Ninjaboot, whose code was leaked on hacking forums.

Apart from being based on Mirai, Bushido may have borrowed some DDoS attack methods from another botnet, Owari, whose code also got leaked on hacker forums.

With ready-made code that has been modified ever so slightly, even less technical cybercriminals can set up a shop and open it for business. With 0x-booter and Bushido, the operators get quite a reward.

Running 300 attacks for the minimum price of $20 makes the operators $6000, a pretty sum for less than half a month.

Ionut Ilascu is freelancing as a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia.